ClawHub
Back to skill

Security audit

complex-bug-debugging-with-ai

Security checks across malware telemetry and agentic risk

Overview

This is a debugging workflow, but it asks for powerful production-style access and defaults to writing a bug report file that may contain sensitive troubleshooting details without clear confirmation.

Use this only for supervised complex debugging. Do not grant broad production, DB, K8S, SSH, or log access unless it is scoped and temporary. Require confirmation before any fix, command with side effects, or BUGxx.md write, and redact secrets, tokens, customer data, hostnames, internal service names, and sensitive logs before storing notes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Natural-Language Policy Violations

Medium
Confidence
91% confidence
Finding
The skill description instructs automatic activation for certain bug-report contexts and strongly frames the interaction model without explicit user opt-in. This can override user preference, steer the session into a rigid workflow, and reduce user autonomy, especially when the skill is invoked implicitly from a broad description field.

Natural-Language Policy Violations

Medium
Confidence
97% confidence
Finding
The skill mandates a specific model ('Opus 4.7') and tells the agent not to proceed otherwise, which is a policy-level constraint that can manipulate runtime behavior beyond user intent. In practice this can cause unnecessary refusal, degraded availability, or coercive upsell/switching behavior even when adequate help could still be provided with a disclaimer.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill directs the agent to write BUGxx.md by default and even proceed on no response, but it does not require a clear warning about storing logs, stack traces, service names, or other potentially sensitive debugging data. This creates a real risk of persisting confidential operational or personal data into files without informed user consent.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal